Iowa Department of Health and Human Services: Iowa HHS says data breach affected more than 6,700 Medicaid members

Iowa HHS Reports Data Breach Affecting 6,717 Medicaid Members

The Iowa Department of Health and Human Services (HHS) disclosed a data breach impacting 6,717 Medicaid members after a file containing limited subscriber information was inadvertently posted to its website. The department discovered the issue on February 20, determining the file had been exposed since February 16 before being promptly removed.

The exposed file included Medicaid subscriber identification numbers, names of linked Medicaid waiver programs, and dates of eligibility assessments. However, it did not contain subscriber names, addresses, contact details, or health information.

Iowa HHS has begun notifying affected individuals and published a public notice on its website. To mitigate risks, the department is providing guidance on requesting free credit reports from Equifax, Experian, and TransUnion, as well as options for placing no-cost credit freezes. Those concerned about potential identity theft are advised to contact local law enforcement or the Iowa Attorney General’s Consumer Protection Division.

In response to the incident, Iowa HHS has implemented additional staff training and is reviewing internal procedures to prevent future breaches.

Source: https://cbs2iowa.com/news/local/iowa-hhs-says-data-breach-affected-more-than-6700-medicaid-members

Iowa Department of Health and Human Services cybersecurity rating report: https://www.rankiteo.com/company/iowahhs

"id": "IOW1776141002",
"linkid": "iowahhs",
"type": "Breach",
"date": "2/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': '6717',
                        'industry': 'Healthcare',
                        'location': 'Iowa, USA',
                        'name': 'Iowa Department of Health and Human Services '
                                '(HHS)',
                        'type': 'Government Agency'}],
 'attack_vector': 'Accidental Data Exposure',
 'customer_advisories': 'Affected individuals notified; advised to contact '
                        'local law enforcement or Iowa Attorney General’s '
                        'Consumer Protection Division if concerned about '
                        'identity theft',
 'data_breach': {'number_of_records_exposed': '6717',
                 'personally_identifiable_information': 'No (excluded names, '
                                                        'addresses, contact '
                                                        'details, or health '
                                                        'information)',
                 'sensitivity_of_data': 'Low to Moderate',
                 'type_of_data_compromised': 'Medicaid subscriber '
                                             'identification numbers, names of '
                                             'linked Medicaid waiver programs, '
                                             'dates of eligibility '
                                             'assessments'},
 'date_detected': '2024-02-20',
 'date_publicly_disclosed': '2024-02-20',
 'description': 'The Iowa Department of Health and Human Services (HHS) '
                'disclosed a data breach impacting 6,717 Medicaid members '
                'after a file containing limited subscriber information was '
                'inadvertently posted to its website. The exposed file '
                'included Medicaid subscriber identification numbers, names of '
                'linked Medicaid waiver programs, and dates of eligibility '
                'assessments, but did not contain subscriber names, addresses, '
                'contact details, or health information.',
 'impact': {'data_compromised': 'Medicaid subscriber identification numbers, '
                                'names of linked Medicaid waiver programs, '
                                'dates of eligibility assessments',
            'identity_theft_risk': 'Potential',
            'systems_affected': 'Iowa HHS website'},
 'investigation_status': 'Completed',
 'lessons_learned': 'Need for improved internal procedures and staff training '
                    'to prevent accidental data exposure',
 'post_incident_analysis': {'corrective_actions': 'Additional staff training, '
                                                  'review of internal '
                                                  'procedures',
                            'root_causes': 'Inadvertent posting of sensitive '
                                           'file to public website'},
 'recommendations': 'Implement stricter access controls, conduct regular '
                    'audits of public-facing systems, and enhance staff '
                    'training on data handling',
 'references': [{'source': 'Iowa HHS Public Notice'}],
 'response': {'communication_strategy': 'Public notice on website, '
                                        'notifications to affected individuals',
              'containment_measures': 'File removed from website',
              'remediation_measures': 'Additional staff training, review of '
                                      'internal procedures'},
 'stakeholder_advisories': 'Guidance on requesting free credit reports and '
                           'placing no-cost credit freezes',
 'title': 'Iowa HHS Data Breach Affecting Medicaid Members',
 'type': 'Data Breach'}